Head of Information Security

Overall Job Purpose:
The Head of Information Security (IS) is a senior management role within The Go-Ahead Group with a primary objective of managing our Information Security department. The key objective of the role is to manage and mitigate IS risks and threats across the group through our people, processes and IS platforms. The role involves leading and executing on our IS strategy which is based around five key principles (Protect, Detect, Respond, Action and Educate). In addition, the person will lead on maturing our IS governance, risk and compliancy ensuring that the Go-Ahead Group is safe and secure at all times for employees and customers.

The role will work on developing and building a capable and forward-thinking IS team, providing leadership and management to the team day to day, employee development and maturing the overall function. The role will involve developing strong and collaborative matrix-managed relationships with our operating company IS leads and directors. The role will support and assist our operational colleagues as required during security incidents, ensuring any such events are quickly identified and mitigated accordingly.

The role will involve senior executive engagement both internally and externally ensuring that Go-Ahead is compliant to applicable legislation, and that IS risks are mitigated or managed accordingly. The role will act as a technical authority on all areas of IS, and will deliver the IS strategy into the business providing technical input and consultancy around all aspects of IS.

Principal Accountabilities:
• Information Security Team Management: Lead the IS organisation developing the required capability and skills to mature and mitigate our associated IS risks and threats.
• Information Security Incident Management: developing and operating a cyber security incident detection and response capability, including interfaces with required stakeholders and agencies, threat intelligence services, forensics and root-cause analysis.
• Threat and Vulnerability Management: managing the identification and remediation of cyber security threats both as BAU and as part of delivery of new systems and capabilities.
• Supplier Management: managing the day to day relationship with internal and external providers of security services and ensure that delivery of services meets contractual obligations and the continuous changing needs of the business.
• Security Operations Management: develop and manage key operational IS processes and procedures to ensure the delivery of operational security capabilities, service acceptance, security change management, problem management, metrics and reporting.
• Information Security Management System (ISMS): develop and maintain the ISMS framework across the Go-Ahead Group both nationally and internationally ensuring alignment to the associated process and procedures to manage information security delivery and incident management.
• Information Security Infrastructure: develop and manage our IS platforms and systems enabling best practices in accordance with the needs of the business, covering areas such as systems hardening, configuration compliance monitoring, network security, end-user compute protection and perimeter protection as appropriate.
• Information Security Governance, Risk and Compliancy: develop and maintain a set of core GRC processes and procedures enabling strong corporate governance across The Go-Ahead Group.
• Information Security Strategy and Roadmap: develop and mature the IS strategy, roadmap and architectural principles working alongside IS colleagues and Operating Company senior execs and colleagues.

Knowledge & Experience:
• Master’s degree in Computing/IS
• Expert knowledge around core IS platforms including areas such as SIEM’s, Threat Intelligence, Vulnerability Management, Firewalls, Proxies, End-User AV, Encryption & DDOS protections.
• Expert knowledge around IS incident management and security operations centre best-practices.
• Significant working expertise around IS governance, risk and compliancy best practices including an understand of NIST, CIS-20, ISO-27001/2.
• Intermediate knowledge around PSI/DSS compliancy and EU directives GDPR/NIS compliancy.
• Working knowledge around IT infrastructure including datacentres, WAN/LAN networking, Security Infrastructure (Firewalls/Load-Balancers/DDoS).
• Intermediate knowledge on the principles of Cyber Security, IS and DDoS protection.
• Ability to analyse complex technical and business-driven risks and to formulate well-reasoned and logical propositions to mitigate and manage the associated risks.
• Experience in direct people management and/or managing security specialist in a matrix-management environment including cross-functional working groups and steering boards.